Encryption: It’s Complicated

Data breaches have become so common at this point that the mere fact that a government agency such as the South Carolina Department of Revenue loses several million Social Security numbers and credit card numbers isn’t really that noteworthy. It’s another day in the life of the Internet. But what is remarkable is that there are organizations out there that are not deploying encryption technologies to protect personally identifiable information because it’s complicated. Really?

EncryptionData breaches have become so common at this point that the mere fact that a government agency such as the South Carolina Department of Revenue loses several million Social Security numbers and credit card numbers isn’t really that noteworthy. It’s another day in the life of the Internet. But what is remarkable is that there are organizations out there that are not deploying encryption technologies to protect personally identifiable information because it’s complicated. Really?

That’s an interesting term, complicated. It can be used in a number of different ways and have several meanings depending upon the context. The classical usage is as a synonym for complex, as in difficult to understand or unwind. And perhaps that’s what Nikki Haley, governor of South Carolina, meant when she said in a press conference earlier this week that the SSNs of millions of South Carolina residents weren’t encrypted at the time they were stolen because it’s “very complicated”.

Encryption is complicated. No argument there. It’s complicated enough that the smartest cryptographers in the world sometimes make mistakes and get things wrong. And people implementing cryptographic algorithms in various software packages make mistakes all the time and attackers find ways to circumvent the complicated encryption and get the data they’re after anyway. 

But there’s another popular usage for complicated, as well, and that’s the “it’s complicated”, Facebook-esque deployment of the term. This means, in effect, there are a lot of things involved here, lots of moving parts and it’s too complex to explain right now. This, I think, is what Haley meant when she made that fateful comment. Responding to a reporter’s question, Haley said that many banks and government agencies don’t encrypt Social Security numbers and the reason is that it’s “very complicated, it’s cumbersome and there’s a lot of numbers involved with it.”

The decision on whether to encrypt stored SSNs is not something that typically lands on the desk of a governor. Decisions about which technology to buy are made much farther down the food chain and there are probably a number of factors that go into it, including the difficulty of deploying an encryption solution, the perceived threat to citizens if their data was stolen, and, of course, money. Database encryption solutions aren’t free and they take time to implement. But it’s highly unlikely that anyone on the security team at the Department of Revenue recommended storing millions of SSNs in plaintext because the alternative–deploying an encryption package–was too complicated. 

More likely, someone looked at his budget, looked at the price of the database encryption package, and made a hard choice. Lots of businesses, government agencies, non-profits and other organizations face the same choice every year and some of them decide that the cost of the encryption outweighs the potential benefit. And that can work out fine. That is, until something like the South Carolina data breach happens. Then things tend to be not fine.

One could argue that Social Security numbers should not even be considered PII at this point, given that they’re used as account numbers and other identifiers by some companies and that they’re fairly easy to get your hands on if you’re of a mind. But that’s a discussion for another day. The point here is that yes, encryption is complicated and it does involve a lot of numbers, some of which have dollar signs in front of them. But the technology is sufficiently advanced at this point that it doesn’t have to be a nightmarish undertaking. 

Even a well-designed and well-implemented encryption system isn’t going to do you much good, though, if an attacker is able to get his hands on a valid set of credentials, as was the case in the South Carolina breach. In her press conference, Haley said that the attacker’s method for compromising the state’s database were “unbelievably creative”. Stealing user credentials is about as uncreative and pedestrian as attacks get. It’s probably number one on the attacker’s list of methods for getting in, or perhaps number two behind someone just handing her username and password across the table during dinner. 

Encryption may be complicated and it may also be “complicated” and it’s not going to solve all of your problems, but it’s almost certainly better than standing in front of a group of reporters or customers explaining why all that data just up and walked out the door.

Suggested articles

Discussion

  • Anonymous on

    Yes - it seems that every computer security "incident" I read about has involved "advanced" and "creative" techniques that are very "complicated" (read costly) to prevent.  Most seem to involve a computer user who is either lacking in common sense or untrained in protecting the important data to which he/she has access.

    We can/should do better!

    RWS

  • arden henderson on

    Great post! Thanks!

    Text below not for comments. Just for typo feedback:

    text: it's "very complicated".   fix: it's "very complicated."

    text: "it's complicated",      fix: "it's complicated,"

    text: "unbelievably creative".   fix: "unbelievably creative."

     

  • Anonymous on

    Very good article and right on point.  Someone needs to coach the governor to not even try to explain something that she obviously doesn't understand.  I thought that encryption of privacy information was required by federal law...I guess because its state-run I suppose state law has the jurisdiction.  SSN is useless now and we should abandon it for a better identity management system.

  • Anonymous on

    Encryption:

    I use a password manager/form filler to store and apply my long and strong passwords. Each website I frequent has a unique and long string that is "Very strong". This ability is the benefit I receive from using this program. I've come to rely on this capability.

    More and more, I see websites that open a login window that prevents my password manager access to the login fields and prevents pasting these long strong mixed hash of characters. So now what? What a brilliant policy?

    Humans aren't equiped to memorize (#eR5{/7Y9&g5R7%%c2cC//$#2@ssvfR6GG##) x 500 passwords of this type! By prohibiting me from access to this kind of software, online security is being degraded! So now what? How about my sons name? My address? My car model? Maybe use the same 6 character "Name" for every website I ever visit with an account?

    How short sighted can a security policy be? At 65, it sure looks to me that society is degrading on an icreasing curve down.

    I find it astonishing that the same human mind that can devise a security penetration cannot devise a pick-proof lock. Is this not proof of human de-evolution?

    The solution to these (and other) issues is not technical. It's the human/spirit.

    rs.fla

  • Commoner on

    dont fire the governor, fire the 'down the food chain' dope that never installed the product because he doesnt what to do in IT

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.